Reporting a Vulnerability
Send vulnerability reports to support@corsa.finance. Include as much detail as possible:- Description of the vulnerability and its potential impact
- Steps to reproduce the issue
- Affected system or endpoint
- Any proof-of-concept code or screenshots
- Your contact information for follow-up
What to Expect
| Step | What Happens |
|---|---|
| Acknowledgment | We confirm receipt of your report promptly. |
| Initial assessment | Our security team evaluates the report and determines severity. |
| Status update | You receive a severity classification and next steps. |
| Remediation | We prioritize the fix based on severity and impact. |
| Disclosure | We coordinate disclosure timing with you after remediation. |
Scope
The following systems and services are in scope:- The Corsa platform
- The Corsa REST API
- Official Corsa SDKs
Out of Scope
- Third-party services that Corsa integrates with
- Social engineering or physical attacks against Corsa employees or offices
- Denial-of-service (DoS/DDoS) attacks
- Automated scanning that degrades service availability
Safe Harbor
We consider security research conducted in accordance with this policy to be authorized, and we will not pursue legal action against researchers who:- Act in good faith and follow this disclosure policy
- Avoid accessing, modifying, or deleting data that does not belong to them
- Do not disrupt Corsa services or degrade the experience for other users
- Report vulnerabilities promptly and do not publicly disclose them before remediation
- Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
Third-Party Penetration Testing
In addition to our responsible disclosure program, Corsa engages independent third-party security firms to conduct penetration tests on a regular cadence. These assessments cover:- External network penetration testing
- Web application security testing
- API security assessment
- Cloud configuration review